CVE-2020-36998

MEDIUM

Forma.lms The E-Learning Suite 2.3.0.2 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36998. PoCs published by Daniel Ortiz.

AI-analyzed exploit summary This is a technical writeup detailing persistent XSS vulnerabilities in forma.lms 2.3.0.2, specifically in the course module and profile module. It includes vulnerable parameters, payloads, and endpoint details.

Description

Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization.

Exploits (1)

exploitdb WRITEUP
by Daniel Ortiz · textwebappsphp
https://www.exploit-db.com/exploits/48478

This is a technical writeup detailing persistent XSS vulnerabilities in forma.lms 2.3.0.2, specifically in the course module and profile module. It includes vulnerable parameters, payloads, and endpoint details.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: forma.lms 2.3.0.2
Auth required
Prerequisites: Admin access for course module exploitation · No authentication required for profile module exploitation
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.4
EPSS 0.0025
EPSS Percentile 16.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
forma/E-Learning Suite < 2.3.0.2
Published Jan 30, 2026
Tracked Since Feb 18, 2026